Adrian Trenholm Coda del gruppo

Let’s stop inaccessible CAPTCHAs

You have probably seen more and more CAPTCHAs in use on blog comments forms. The trend might grow now Blogger has made them widely available with a feature called word verification for comments. Widespread use of CAPTCHAs must be stopped.

What’s a CAPTCHA, I hear you ask? It is a tool to verify that a web form is being completed by a human being, as opposed to completed automatically by a spamming program. It works like this: a picture of a word or multi digit number is generated randomly and placed on the web form. The person filling in the form must read the word or number, then type it into a form field before submission. If the person’s answer matches the word or number in the picture, then the form is accepted. In theory at least, spamming machines cannot read pictures and therefore can’t beat the test.

So what’s the problem? CAPTCHAs discriminate heavily against anyone with a impaired vision. An odd font, which cannot be resized or read by a screen reader, on a busy background? The chances of a blind, partially sighted, or colour blind user getting past a CAPTCHA are slim. Even those of us with good vision have problems. Also, many CAPTCHA implementations can be cracked by machines. That may not be happening right now, but if enough people use CAPTCHAs, the spammers will adapt. So Blogger has just deployed a “solution” which might continue to let in spam, but which locks out a large minority of human beings.

Here’s what you can do:

1. For Blogger and BlogSpot users: CAPTCHAs (word verification for comments) are switched off by default. Leave them switched off.

2. If you are using a CAPTCHA already: stop. You are not a bad person - you probably didn’t consider all the implications. That’s OK. You know now. Please considering removing your CAPTCHA. Apart from the obvious reputation problems if your business is uncovered as a discriminator, you could be at legal risk under the Rehabilitation Act in the US or the Disability Discrimination Act in the UK.

3. If you come across a CAPTCHA: complain. I have avoided doing this to date, because I don’t want to look arrogant to other bloggers, but when one of the largest blog software providers starts to provide something so discriminatory as standard, we all have to speak up. Fill in the form, leave your comment or what have you, then add something like this:

   Please be aware: the image CAPTCHA device that you use to prevent spam on this form discriminates against blind, partially sighted and colour blind users. You may also be exposing yourself or your organisation to legal risk under anti-discrimination laws.

4. If you have a blog: please write a short post to explain the discriminatory nature of CAPTCHAs and ask that your readers do the same. Yes, I am proposing an anti-CAPTCHA meme.

When you post or complain in a comment, here are some good links to mention:

W3C: Inaccessibility of Visually-Oriented Anti-Robot Tests
D Keith Robinson’s: I hate CAPTCHA
David Naylor: CAPTCHA - is it good or evil
Eric Meyer: WP Gatekeeper (a rather technical post, but an interesting accessible alternative to using CAPTCHA)

If you can suggest other links for this list, then by all means leave them in the comments.

PS I have classified this under “Doing business” because so long as CAPTCHA usage, in particular, and accessibility, in general, are perceived as design or development issues, they won’t get the attention they deserve.

PPS Two rants in two posts? What the hell have they put in water round here?

Yah, yah, protest about it without offering a better solution to preventing spam like the fake emails getting sent from your site. Either come up with something better or else shut the heck up.

First off, thanks for your comment.

Let’s make a distinction between stopping comment spam via a CAPTCHA and email spam from spoofed email addresses. The fake emails are not being sent from my site. My email address has been spoofed. Anyone’s email address can be spoofed, either by a spammer who harvests them from a website, or by the spammer who illicitly gets hold of an email address book containing the address to be spoofed.

If you have received a spam email purporting to be from me, then there really is little I can do about that - and please rest assured anything I could do, I would. It does me no good to have comments like yours appearing on this blog, or to have my email address being labelled as spam in other people’s email clients. My address has been spoofed not because I have done anything wrong - my firewall and virus checking are up to date and working - but because spammers are devious little toerags.

Just to be clear, CAPTCHA is not a solution to email spoofing or email spam. It is one possible solution to comment spam, but it is one which discrimates agains visually impaired web users, and I find that discrimination unacceptable.

As you ask for a better solution to prevent comment spam, I refer you to Eric Meyer’s CAPTCHA alternative, WP Gatekeeper, which I did mention in my post. Eric’s code is specific to WordPress, but the principle is applicable to all web forms. The idea works on providing a human readable question (perhaps a logic puzzle or even a simple “what is my name?”).

Other solutions can include moderating comments, registration coupled with whitelisting, blacklisting etc. Even something as simple as renaming your comment form can make a difference. Most anti-spam measures can be set to work in all cases or be triggered by comments which contain links elsewhere (almost all comment spam contains links).

There are more discussions of non-CAPTCHA methods for preventing comment spam here and here, and no doubt plenty more links elsewhere.

Given the plethora of alternatives methods for tackling comment spam, do you still think it acceptable to use the one method which so blatantly discriminates against visually impaired users?

I think that any method that discriminates can be problematic. As long as there is a choice, I would agree to turn off the CAPTCHA feature.

Good post Adrian, and good explanation in your comment. Inclusion is important, and never moreso than on the Internet. Thanks for the tip.

As always, 100% CAPTCHA free!

So let’s see, your alternatives are something which doesn’t exist except for WordPress, logic puzzles (discriminating against the dyslexic or maths impaired) or questions like “what is my name” as though that couldn’t be hacked just as easy as you claim CAPTCHA can? Or on something the size of blogger, craigslist, etc moderating/blacklisting/whitelisting?Do you have any idea the number of resources that would take? Somehow, I don’t think so.

Just how many blind people are using the internet anyway? And how many spammers?

There are two million people with sight problems in the UK (according to RNIB’s website) I beleive that makes over 3% and that is a significant proportion.

Why on earth shouldn’t/wouldn’t they use the internet? You do… I do… goodness I think even my mum might have once!

Anyhow, multiply 2 million by all the other countries out there and that’s that’s a fair bunch of people that are often needlessly discriminated against.

Louise, your view seems to be “discrimination is OK in this instance, because I only discriminate against a small number of people. Being inclusive takes too much effort.”

I disagree with your view very strongly. No matter how few are disadvantaged, discrimination, in my view, is not OK.

[…] uise that made me do it, or am I just an ass by nature? Let me recap: I post that I think CAPTCHA - a technique for stopping comment spam - is the devil’s work, for it is not accessible to visuall […]

First, CAPTCHA systems don’t prevent people from reading my content. They merely keep people from commenting on my post.

Further, CAPTCHA systems don’t keep people from participating, so long as trackbacks are enabled. They always have the option of setting up their own system and writing their response as a trackback to my comment.

Finally, such deaf-blind users always have the option of emailing the owner personally, and comments can be posted manually.

that said, where I have my CAPTCHA on my forum, I have a link to my email where it exists. Luckily, I have a small enough forum that I can deal with such email as it comes. Unfortunately, the email has already been innundated with spam.

I haven’t gotten it through their head that if I don’t buy viagra this time, I’m probably not interested.

[…] feature called word verification for comments. Widespread use of CAPTCHAs must be stopped. 1. In reality thought nobody should […]

I agree with you completely on this. Not only do CAPTCHAs discriminate against the visually impared, they are also just damn annoying!

While I agree that CAPTCHAs are annoying, I fail to see how the injustice is so terrible. If life was fair and the internet not a study in chaos theory than maybe the changes you suggest could matter.

I think Louise was merely working on the premise of the greatest good for the greatest number of people idea. You might start railing against pharmaceutical companies that won’t find cures for diseases that on a few people have. At least you would be saving someones life instead of their ability to post comments on the web.

“a large minority of human beings”

That sounded funny to me.

My add-url form has suddenly been hit by a bot (bots) that try to have multiple links placed on my site.

This is despite the page stating that submissions will be reviewed by a human.

So, what do I do?

I have just found out that one calls catchas “catcha” and that I can get them for free and that they seem fairly easy to install.

I can’t wait to install it on my form … unless you can suggest an alternative?

http://www.meyerweb.com/eric/tools/wordpress/wp-gatekeeper.html

Although my post is over a year late I thought I would comment. I agree that captchas are not a good idea, and not just from a moral standpoint, but also from a business standpoint. You want to make the process of purchasing, commenting, and contacting as easy as possible for your visitors (Captchas don’t do that).

There are many possible alternatives to this thought process, for instance have people answer a question, like wp-gatekeeper, or if you want an image show an image of an animal (something simple like cat, dog, pig). Or use style sheets to hide an input field from view. If the input field is filled out you know it wasn’t a human.

However, I disagree with the author on one point; posting comments to a website threatening them with legal action is ridiculous. Make people aware of the problem don’t threaten them. Humans have a habit of getting very stubborn when they feel they are being forced.

First, the widely-held yet rather naive notion that CAPTCHA (in the most common obscured-characters format) “discriminates” against the visually impaired, is logically inconsistent. These same people who just read your blog post in 8- or 10-point font, now suddenly have problems reading 20-point characters mapped over wavy lines? Fact is, almost no “visually impaired” folks are TOTALLY BLIND; most are just unfortunate enough to need some sort of eyeglasses. If you can read a blog, and read your own reply as you type it, you can handle CAPTCHA, unless the implementation is really bad (and I have no objection if you wish to crusade against poorly-implemented CAPTCHA). To underscore the point, of the “2 million people with sight problems in the UK”, only 120,000 or so are legally blind, and even most of those can read a web page - and hence, deal with CAPTCHA - while wearing prescription lenses. The few who cannot are the same folks who use audio transcription and navigate the web by auditory means, and properly-designed CAPTCHA systems provide auditory alternatives for that reason. Note that these are equally usable by the “people with good eyesight [who] have problems with CAPTCHA.

Second, you seem to be mostly concerned with the “inconvenience” of having to authenticate yourself as a human when posting something. Believe me, it’s a whole lot easier for a few people to “suck it up” and work with the CAPTCHA system, than it is for EVERYONE to have to “suck it up” and deal with the barrage of junk that results from improperly-secured blogs, not to mention the cascading problems that such a mess creates e.g. distorted search engine results, etc.

The argument about “not being inclusive” is just facile. I don’t hear too many people complain about airlines “discriminating against” or “not being inclusive of” the visually-impaired when it comes to hiring pilots. While I’m all in favor of ensuring that reasonable access is provided to partially-sighted web surfers, to aver that CAPTCHA is non-inclusive is just naive; CAPTCHA is currently the best line of defense against comment spam, without which the blogs wouldn’t be worth reading by anyone, partially sighted or not, and as already mentioned, CAPTCHA is not the insurmountable barrier to participation by partially-sighted users you portray it to be.

Every system has flaws. Logic problems like those in wp-gatekeeper “discriminate” against both the dyslexic and those who only read a non-English language. Until and unless you can actually come up with a superior alternative (and wp-gatekeeper isnt superior), maybe you shouldn’t be so dogmatic in your criticism of the working, if not yet perfect solution gifted to you.

I agree, each system does have its flaws, and you have obviously given thougth to them.

My principle objection to Blogger’s offering CAPTCHA is that it is offering a largely inaccessible anti-spam measure to an audience which is unlikely to know or give thought to CAPTCHA’s flaws or to alternative, more accessible, anti spam measures. Blogger however does know about the flaws and the alternatives - I think it would have been great if Blogger had put accessibility on a par with controlling spam, and put its resources into developing an accessible system.

So does the RNIB as reported by the BBC:

Captchas are starting to cause problems for anyone who is blind or has impaired vision and cannot see the characters they are being asked to decipher.

“If [CAPTCHA] prevents visually impaired people from using a service then we have a serious problem on our hands,” said Julie Howell, campaigns officer at the Royal National Institute for the Blind in the UK.

She said legislation in the Britain and US demands that companies make websites accessible to people with disabilities.

“Security and accessibility must co-exist, not conflict,” she said.

You are not the first person to point out Gatekeeper’s flaws and I agree there too. But Gatekeeper is not the only solution. Once the spam on this site got too much to moderate, I installed Spam Karma 2 with Akismet. Problem solved. No false positives to date, and only two spams have slipped through the net in the nearly 30,000 spam comments caught to date.

I don’t agree with you that CAPTCHA is as easy to read as an 8 or 10 point font on a white background, or that anyone with a visual impairment short of outright blindness should be able to cope / “suck it up.”

This, from the W3C, hits the mark:

Sites with attractive resources and millions of users will always have a need for access control systems that limit widespread abuse. At that level, it is reasonable to employ many concurrent approaches, including audio and visual CAPTCHA, to do so. However, it must be noted that human users will fall through the cracks in these systems, and it will be necessary for sites like these to ensure that users with disabilities will have some human-operated means of interacting with a given resource in a reasonable amount of time.

The widespread use of CAPTCHA in low-volume, low-resource sites, on the other hand, is unnecessarily damaging to the experience of users with disabilities. An explicitly inaccessible access control mechanism should not be promoted as a solution, especially when other systems exist that are not only more accessible, but may be more effective, as well. It is strongly recommended that smaller sites adopt spam filtering and/or heuristic checks in place of CAPTCHA.

As for being dogmatic, I have covered that elsewhere.

Adrian,

Great article. I am a firm believer of an “open” web and completely agree with your opinion that CAPTCHAs are bad news. Thank you for posting this to spread the word.

@cutthecrap: HAve you ever had someone read a phone number to you when you didn’t have a pen to write it down? Humans have terrible short term memory, so things so simple as phone numbers are difficult to remember the first time we hear them. With phone numbers we can expect certain patterns (for instance, just about every number in my hometown will start with 323, so I know to expect to 323 if I know the number is located somewhere in my town). Every site implements CAPTCHA differently–different lengths, different combinations of letters and numbers and often every code generated is vastly different from the previous. That make it difficult to anticipate the spoken code. And, unlike sighted people, legally blind users don’t have the option of writing down the code as they hear it.

Reading a blog is much different than reading a CAPTCHA and a visually impaired user isn’t stuck reading the page at 10pt either–try pressing the control and plus keys on your keyboard a few times and watch what happens.

I work for a college that caters to deaf students. What most people don’t realize is that many deaf people have visual impairments as well as hearing impairments, many so severe that they won’t be able to use a complex CAPTCHA in either visual or auditory mode.

Deaf people DO use the internet–in fact theses days they use tools such a IM and video conferencing services much more than they use traditional telephone/TTY combinations to make calls. Why should we expect that blind users are any less likely to do the same? When I get stuck somewhere, such as while waiting for someone to meet up with me, I generally pass the time waiting by either reading a book or browsing the web. If I were less mobile (such as due to blindness) I would probably spend even more of my time doing that. There are great tools out there to make computers accessible to blind people, such as JAWS. BUt JAWS is only as accessible as the screen it is reading.

Isn’t “large minority” an oxymoron?

Also, if I did not use CAPTCHAs I would get thousands of spam a day. I am perfectly willing to not be accessible to a few blind people if it means I do not have to sort though thousands of spam. And this is no way discrimination. I do not use CAPTCHAs because I don’t like blind people and I don’t want them to use my site, I use them to prevent spam. A blind person could always send me and email and I could manually do things for them.

I use a very simple CAPTCHA on a medium traffic site and it prevents almost all spam. Without it, I would get about 8000 spam a day, with CAPTCAH I only get 5 spam a day.

It seams like you are uneducated about this topic and that you want to encourage spammers. Don’t believe everything you read on the net.

Oh, come on!

Uneducated on this topic?

Want to encourage spammers?

That will be strategems 8, 32 and 38 from Schopenhauer’s Art of Controversy then.

All nonsense, of course. Thanks for playing.

PS It’s spelt CAPTCHA, by the way.

Great post, and most of the comments as well
About visually impaired / blind Internet users -
They don’t read the 10pt, and many don’t use ctrl-+ as well. There are browser-readers and the XHTML format to help with that. Have a look at some government accessibility guidelines - it’s a whole new world out there.

The future is to make users pay to comment. Otherwise, anyone can and will come into your forum and post SPAM. Bots will destroy any forum that is not moderated. I tried a fully open forum on a site where anyone could post without registering or even logging in, just like you have here. The bots eventually killed the site.

I work for RNIB, and I’ve been doing some research on CAPTCHA. This post (along with the comments) has been very useful. I am amazed at the luddite attitude of some of these comments, from people who seem happy to continute discriminating against blind and partially sighted people without wanting to find an alternative method of spam prevention. I can totally understand the need for spam prevention.